Alternate Data Streams

Alternate Data Streams

I want to recap a topic that has been around for a while: Alternate Data Streams. This topic has resurfaced again in an interesting way. I'm going to tell you about it in later post. However, I thought I'd explain Alternate Data Streams again, just in case some of you don't know what they are. The later post will then make more sense.

So, what are Alternate Data Streams? Well, it happens that NTFS files can have more than one set of data stored inside them. (You cross-platform guys might know about "resource forks." This is a similar concept.) Everyone knows about the primary stream. This is the data that we normally associate with files. It is the data that we see when we open the file, and it accounts for the file size numbers that we see in file listings. However, we can "hide" other sets of data in a file too. Let's look at a simple example. (It is very important that you use the same commands that I do. Not all console commands are aware of alternate data streams.)

You should see that the file contains 8 bytes. That's 5 bytes for my name, 2 bytes for the CRLF, and 1 byte for the space. (Look closely at the command. There's a space between my name and the ">" character.) This is all very normal. Now let's mess with some alternate streams.

Add my wife's name to the file, in an alternate data stream:echo Tammy > names.txt:wife

There are now two separate sets of data in this one file. One, the default, contains my name. The alternate stream contains my wife's name. However, the directory listing shows 8 bytes, not the 16 that are actually there. The dir command is not aware of alternate data streams, so it doesn't account for them in its listing. Some of the file's data is now hidden.

Let go one step further. Add my son's name:echo > Evan names.txt:son

Check out the results as we did before. You now have 23 bytes of data contained in three steams, but the directory listing still shows 8.

Neat, huh?

I'll leave the rest to you. Remember that we are talking data streams here, not text. There is a demo on the web that shows how to hide calc.exe inside sol.exe. You can execute either program, too. The possibilities run deep.

Now, why did I bring this up? I'll tell you more in another post. However, for right now, you should know that many programs take advantage of these streams. For example, some virus scanners hide tracking data in the files that they scan. Some viruses hide themselves in there too. Stay turned for more.